Rejecting the Attack: Source Authentication for 
Wi-Fi Management Frames using CSI Information 



Zhiping Jiang*, Jizhong Zhao*, Xiang-Yang Li^, Jinsong Han*, Wei Xi* 
* School of Electronic and Information Engineering, Xi'an Jiaotong University, Xi'An, China 

f Department of Computer Science, Illinois Institute of Technology, Chicago, IL 
Email: {jiangzp.cs, weixi.cs}@ gmail.com, xli@ cs.iit.edu, {zjz,hanjinsong}@ mail.xjtu.edu.cn 



Abstract — Comparing to well protected data frames, Wi-Fi 
management frames (MFs) are extremely vulnerable to various 
attacks. Since MFs are transmitted without encryption, attack- 
ers can forge them easily. Such attacks can be detected in 
cooperative environment such as Wireless Intrusion Detection 
System (WIDS) 1 1|. However, in non-cooperative environment it 
is difficult for a single station to identify these spoofing attacks 
using Received Signal Strength (RSS)-based detection, due to 
the strong correlation of RSS to both the transmission power 
(Txpower) and the location of the sender. 

By exploiting some unique characteristics {e.g., rapid spatial 
decorrelation, independence of Txpower, and much richer di- 
mensions) of the Channel State Information (CSI), a standard 
feature in 802.1 In Specification, we design a prototype, called 
CSITE, to authenticate the Wi-Fi management frames by a 
single station without external support. Our design CSITE, built 
upon off-the-shelf hardware, achieves precise spoofing detection 
without collaboration and in-advance finger-print. Several novel 
techniques are designed to address the challenges caused by user 
mobility and channel dynamics. To verify the performances of 
our solution, we implement a prototype of our design and conduct 
extensive evaluations in various scenarios. Our test results show 
that our design significantly outperforms the RSS -based method 
in terms of accuracy, robustness, and efficiency: we observe about 
8 times improvement by CSITE over RSS-based method on the 
falsely accepted attacking frames. 

I. Introduction 

Wi-Fi technology is on its rapid evolution. 802.1 In standard 
supports up to 600Mbps throughput, and 802. Hi amendment 
provides strong protection. However, an attacker can still 
easily launch Denial of Service attack |2j-|4), break the con- 
nection between AP and client, establish a rogue AP, and even 
lead to Man-In-The-Middle (MITM) attack. All these attacks 
exploit the vulnerability of the 802.11 Management Frame 
(MF). Unfortunately, MF has always been flying "naked" in 
the air [5], and anyone can forge the MF easily. IEEE 802.1 lw 
introduces encryption-based authentication for several key 
MFs. However, some researches (6), (7) have identified that 
802.1 lw is still vulnerable to attacks. 

The MF spoofing attacks can be easily detected by Wireless 
Intrusion Detection System (WIDS) or similar systems (8)- 
p0| . Multiple monitoring stations are required to be deployed 
throughout the environment to overhear the wireless traffic. 
They cooperate in monitoring the Received Signal Strength 
(RSS) for the same MAC addresses. If an anomaly RSS 
variation appears, an attack is identified by a global decision. 



However, such a well secured environment with WIDS 
is not common. When WIDS information is not accessible, 
detecting spoofing MF merely based on local information 
is quite unreliable even in stationary situation. Since RSS 
highly correlates with transmission power (Txpower) and 
location (TTJ, (12), an attacker can estimate victim's RSS 
according to local RSS and distances to genuine station 
and victim. RSS-based detection therefore can be fooled by 
scanning Txpower. 

In search of a reliable management frame authentication 
mechanism which supports the operation of a single station, 
we learned that Intel WL5300 NIC can export another standard 
PHY-layer information in 802.1 In Specification fT3| , Chan- 
nel State Information (CSI). The exported CSI reveals the 
amplitude and phase for each subcarrier of the underlying 
OFDM system in the form of a complex number matrix. 
Fig. [T] presents the amplitude of CSI sample. After some proof- 
of-concept experiments, we believe CSI is ideal for source 
authentication. 




1 5 10 15 20 25 30 

Subcarriers 



Fig. 1. An example of CSI data. Since Intel 5300agn NIC has 3 antennas, 
there will be 3*30 subcarriers information for each MAC layer frames. For 
visual clarity, here we show only 40 frames. 

First, the CSI is the reflection of complex transmission 
procedure of OFDM subcarriers, which involves environment 
factors, antenna configurations, multipath fading, etc. Due to 
the complexity, CSI value decorrelates with location quite 
rapidly. An attacker cannot estimate the victim's CSI according 
to its own local CSI. Second, CSI reflects the impact of 
wireless channel on signal propagation, therefore changing 
Txpower has no influence on CSI. Third, CSI is a high- 
dimensional data. In a 3x3 802.1 In MIMO system, there are 
270 values in one CSI matrix. It is extremely difficult to forge 
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the CSI even with most sophisticated preparation. 

Based on such excellent features, we design CSITE, a 
management frame authentication system using off-the-shelf 
NICs. The idea is simple yet effective: regardless of the 
frame type, the transmission of both data and management 
frames between AP and legitimate stations undergoes the same 
fading and multipathing, which means that their CSI should 
be exactly similar. If an attacker injects a forged MF, the CSI 
of this frame must be quite different to the CSI trend learnt 
from previously accepted frames, thus we conclude that this 
frame is suspicious. 

Our CSITE system is based on a reasonable security as- 
sumption that the data frames under strong encryption, i.e. 
WPA2 with CCMP encryption for a relatively strong password, 
cannot be cracked in short time (14). Since an attacker cannot 
forge a data frame which can be received and correctly 
decrypted by legitimate station, the encrypted data frames are 
therefore considered to be sent from genuine station, and their 
CSI is always trusted. There are three main challenges that 
should be carefully addressed to make our prototype CSITE 
work in practice. 

First, compared to one-dimensional temporal RSS data, for 
each frame there is a large complex number matrix of the size 
N tx x N rx x 30, where N tx and N rx denote the number of 
transmitting and receiving antennas respectively. Identifying 
anomaly data points in such a high-dimensional data stream 
is a big challenge when the sampling frequency is high. 

Second, it is the spatial decorrelation property that makes 
CSI unforgeable, but this also makes the authentication in- 
tolerable to often happened channel dynamics, e.g., those 
caused by crowd flow or user mobility. To ensure that all 
potential spoofing MFs are rejected, we will more likely 
reject many more genuine MFs if the system is not carefully 
designed for the scenarios with intensive channel dynamics. 
A mechanism should be carefully devised to guarantee the 
successful delivery of genuine MF. 

Third, the NIC doesn't produce CSI for management frames 
by default. 802.1 In standard provides non-mandatory options 
to transmit nearly all frames in "HT" rate, which is necessary 
for measuring CSI. However all MAC layer implementation 
and drivers still use the old but compatible code which 
transmits the MFs in legacy format. 

Fortunately, since the number of management frames trans- 
mitted for normal communication is small, high accuracy CSI- 
based filter can be achieved without affecting the network 
throughput. To cope with the channel dynamics, we devise 
a method called "CSI Resolution Enhancement" (CRE) to 
ensure the transmission of legitimate MF even under highly 
intensive channel dynamics. Since it is standard-permitted and 
technically possible for sending management frames in "HT" 
rate, we added additional functionalities to the MAC layer 
implementation and NIC drivers to enable the transmission of 
management frames in "HT" rate. 

In summary, the main contributions of this paper are as 
follows. We design CSITE, a cross-layer system based on 



CSI to perform PHY-layer source authentication for Wi-Fi 
management frames. In addition to the natural advantages of 
single-station accurate authentication, CSITE can also cope 
with user mobility, and no cooperation and no in-advance 
finger-print are needed for the system. We implement a 
prototype of CSITE using the off-the-shelf hardware and 
conduct extensive studies on the performance of our method 
in various scenarios. Our evaluations show that CSITE has 
excellent performance on accuracy, robustness, and efficiency. 
It significantly outperforms the RSS -based method in the same 
scenarios. For example, when the client and the attacker are 
walking with regular speed, CSITE accepts some attacking 
frames with probability about 2%, while RSS -based method 
accepts attacking frames with probability about 18% for the 
same scenario. When only the client is moving, we observe 
similar improvement (about 8 times) by CSITE over RSS- 
based method on the falsely accepted attacking frames. A 
significantly better improvement is obtained in stantionary 
scenarios. See Section |IV| for details. To the best of our 
knowledge, we are the first to exploit the unique characteristics 
(e.g., rapid spatial decorrelation, independence to Txpower, 
and rich dimensions) of off-the-shelf platform's Channel State 
Information (CSI) for authenticating management frames in 
Wi-Fi networks. 

The rest of the paper is organized as follows. Section [II] 
presents some preliminaries and reviews related works. Sec- 
describes the CSITE system design. A series of 
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experimental results and analysis are shown in Section [TV] We 
discuss the compatibility and other security issues in Section |V| 



and conclude the paper in Section VI 



II. Background and Related Work 

In this section we first give a brief review of OFDM, CSI, 
and 802.1 In, which are the foundations of CSITE design. Then 
a review of related works are presented. 

A. OFDM, CSI and 802.1 In 

802.11a/g/n adopt Orthogonal Frequency Division Multi- 
plexing (OFDM) technology. In OFDM, the overall wide band- 
width channel is divided into many small but orthogonal sub- 
carriers or sub-channels. In 802.11a/g/n, 52/56 (802.1 la/g or 
802.1 In) subcarriers are used to transmit data. Since a channel 
is divided into many subcarriers, estimating the channel state is 
equivalent to measuring the parameters for all the subcarriers. 
In IEEE 802.1 In and its successor 802.1 lac, Channel State In- 
formation (CSI) is a complex number matrix which describes 
the channel frequency response, each complex value h in CSI 
matrix could be transformed to polar coordinates that 



h 



jZh 



where \h\ and Zh denote the amplitude and phrase of each 
subcarrier. 

However, not all frames have CSI. Measuring CSI is more 
complicated than simple RSS measurement. To support such 
measurement and other PHY-layer features, 802.1 In intro- 
duces new preamble components (HT-SIG, HT-STF, HT-LTF) 
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for each frame transmitted in 802.1 In "HT" rate format. When 
Not Sounding option in HT-SIG is false and HT-LTF (High 
Throughput-Long Training Field) field exists in the preamble, 
the NIC will measure the CSI for this frame. 

B. Related Works 

Numerous researches claim to have the ability to detect 
MAC-layer spoofing attacks based on RSS or Sequence Num- 
ber (SN) (8), fT5| , fT6| . However, Txpower can be adjusted 
to forge the same RSS level, while SN could be forged by 
following the original pattern. Fingerprint based on hardware 
transceiver profile is thought to be a perfect solution (T7), but 
advanced attacker using arbitrary waveform generator, can still 
compromise the fingerprint (18). 

Wireless Intrusion Detection System (WIDS) or similar 
systems (8), (T5) , (T9| can provide reliable attacking detection 
in secured environment, but these approaches are limited due 
to the deployment of monitor stations. To the best of our 
knowledge, the most advanced RSS-based detection is the 
RCVI (20). This work cleverly exploits the reciprocity of 
RSS variance in mobile wireless networks. By detecting the 
mis-matched RSS variation, an Identity-based Attack (IB A) is 
detected. However, RCVI require the sender to report the RSS 
records of the latest received ACK frames, which is a slightly 
high requirement. 

There are growing interests in authentication, location dis- 
tinction and even localization based on physical layer infor- 
mation. Channel Impulse Response (CIR) has been used to 
provide robust location distinction in (21), (22). There are 
some works |23)-|25) that went further trying to provide 
precise indoor localization either by identifying the Line-Of- 
Sight components or by identifying cluster information in CSI. 

A new attack against PHY-layer authentication called 
mimicry was identified in (26). However, such attack is neither 
easy to launch due to the existence of symbol sensor, nor likely 
to succeed due to the MIMO technique which introduces richer 
channel information. 

III. CSITE Design 

In this section, we will first present some of our observations 
on which the design of CSITE are based. Then the design of 
CSITE is presented in details. 

A. Observation by Testing 

A simple injection experiment is conducted to observe 
the characteristics of CSI. We collected 3000 frames, among 
which the first 1500 frames are from legitimate station, while 
the following 1500 frames include frames from both attackers 
and legitimate station. Fig|2] (a) shows the amplitude of the 
experiment sample, where different colors denote different 
amplitudes. We can see the attacker starts injecting a group of 
attacking frames periodically after the 1500th frame, and the 
visual difference between normal frames and injected frames 
is clear. 



Fig(2] (b) shows the empirical probability density function 
(PDF) of subcarrier 20 collected from the first 1500 frames 
by directly plotting the Re(h) and Im(h) dots, where h is the 
CSI for this subcarrier. Since the amplitude is stable during 
the test and the phase is uniformly distributed between to 2tt 
(due to the subjection to Rayleigh Distribution), we observed 
a ring-shaped structure with narrow width. Fig|2] (c) shows 
the PDF of all the CSI for subcarrier 20. Due to the ampli- 
tude difference between the legitimate and injected frames, 
a double-ring shaped structure is presented. Such amplitude 
difference can be used to detect the attacking frames. 

B. CSITE Architecture 

We are now ready to discuss the architecture of our CSITE 
prototype for authenticating MF frames in Wi-Fi environment. 

The CSITE system consists of two parts: CSITE filter 
and MF transmission assurance system. The CSITE filter 
implements our CSI-based spoofing detection algorithm, and 
its goal is to detect and reject any suspicious MFs. However, 
the safety and efficiency are always contradictory. In dynamic 
environment, CSITE filter may also reject some legitimate 
MFs. In such case, the sender should take measures to ensure 
the successful delivery of legitimate MFs without compromis- 
ing the security standard of receiver's CSITE filter, and this is 
achieved by the MF transmission assurance system. 

Since routine data frames are naturally used to update 
CSI pattern, we don't exert extra burden to network traffic. 
However to cope with the burst of transmission and asymmetry 
between uplink and downlink, we set a maximum interval 
T irn between two CSI updates. Once a station has not been 
updated for a time duration exceeding T irn , it will send a 
ICMP "Probe Request/Reply" probe to force a CSI probe. 
Then the update frequency, denoted as f 8 , of a station would be 
max (1/ Ti m , fdi), where fdi denotes the downlink data frames 
frequency. 

C. CSITE filter 

The mission of CSITE filter is quite clear. Let Sy denote 
the frame stream received by a station, and Sy is composed 
of three parts: Sy = {S d , S m , S in }. Here {S d } and {S m } 
are the encrypted data frame stream and management frame 
stream sent from genuine station, respectively. {Si n } is the 
forged frame stream sent by attackers using injection tools. 
Our mission is to determine, for a newly arrival management 
frame M, whether it's sent from genuine station or attacker 
based on the CSI pattern learnt from Sd- On designing such 
an filter, there are two technical requirements: 
1) Low False Positive (FP) error: Classifying frames into 
"legitimate" frames and "suspicious" frames could intro- 
duce two errors: wrongfully accepting an attacking frame 
(called false negative (FP) hereafter), and wrongfully 
rejecting a legitimate frame (called false Negative (FN) 
hereafter). Since re-transmission can be launched once a 
delivery fails, the FN error is tolerable to some extent. 
However, due to the high risk of successive attacks (e.g., 
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(a) CSI sample with injection (b) PDF for SC20 (first 1500 frames) (c) PDF for SC20 (all data) 

Fig. 2. (a) Amplitude of CSI sample where warmer colors denote larger amplitudes. Attacking frames are injected starting from frame number 1500. (b) 
PDF for sub-carrier 20 of the first 1500 frames, where the value (denoted by colors) at a point is the number of frames with this CSI. (c) PDF for sub-carrier 
20 of all samples, including attacking frames. 



man-in-the-middle attacks) triggered by some spoofing 
attacks, such as de-authentication attack, the FP error is 
absolutely not acceptable. 
2) Low overhead: In a real world environment, network 
throughput could be very high, large computation and 
communication overhead for detecting attacks will sig- 
nificantly degrade the network performance. 

Due to the rapid spatial decorrelation, the CSI of spoofing 
frames are highly probable to be "distant" from the CSI of 
legitimate frames. Thus, detecting spoofing frames can be 
viewed as an online anomaly detection problem and the goal 
is to identify such "distant points". 

K-Nearest Neighbour (KNN) (27) is a common solution for 
high-dimensional anomaly detection (28). Notice that because 
a MF frame is said to be a suspicious frame if it significantly 
deviates from the trend of most recently accepted frames, the 
"anomaly" detection for the problem studied in this paper also 
needs to consider the temporal distance of the frames. Thus, 
traditional KNN algorithms cannot be directly applied here. 

We design an accurate and effective distance-based spoofing 
detection algorithm. To reflect the impact of the timing char- 
acteristics of all frames, our distance metric takes both spatial 
and temporal distance into account. An self-adaptive threshold 
is determined to classify a CSI point into two catagories 
"trusted" or "suspicious". However, before introducing the 
algorithm, we should first reduce the data point dimension. 

Dimensionality Reduction: The dimension of CSI data point 
is very large, which will consume large computational re- 
source. Even we set the MIMO Tx-antenna N tx = 1 and Rx- 
antenna N rx = 3 for our prototype, the dimension of the CSI 
data point for each frame is Dim(SY) = N tx x N rx x 30 = 90, 
which is still too large, especially for AP, which is going to 
handle multiple connections. 

As phase is uniformly distributed between — 7r and +7r (due 
to the Rayleigh Distribution) which provides no discriminative 
information, the complex number data point Y is first reduced 



to a real number data point containing only the amplitude Y = 
\Y\. Since amplitudes of subcarriers exhibit certain continuous 
structure as shown in Fig[T] we can further merge the adjacent 
amplitudes. In our system, every 2 adjacent amplitudes are 
merged to their mean as (Yi + Y$+i)/2. 

Frame Authenticity Verification: 

To verify the claimed authenticity, each receiver holds a 
sliding window W r to store the latest verified CSI points with a 
length Lw- Determining whether a MF is from genuine station 
is equivalent to determining how distant a MF is from to the 
CSI trend in W r . If the incoming MF frame perfectly follows 
the trend, it is highly likely to be a true MF; otherwise it is 
suspicious. We will use the "degree of following" (DOF) (exact 
definition will be given later) to characterize how closely a 
newly received MF M follows the trend defined by frames 
in the sliding window W r . This DOF is determined by two 
factors: the distance to its k nearest points in the window W r 
and the time difference between M's arrival time tM and the 
arrival times of its k nearest points. 

Suppose there are n dimensions in each data point after di- 
mensionality reduction. We first define the Euclidean distance 
between CSI point A and B as dist(A,B) = (Y%=i( A i ~ 
Bi) 2 )* . We then define the following coefficient between these 
two points as 

fc(A,B) = e HltA - tBl) 

where A is a constant called time gain factor and tA denotes 
the arrival time of point A. We then define the "time-gain 
distance" between point A and B as 

tgd(A, B) = dist(A, B)-fc(A, B) 

Let Nl 9d (M, W r ) = {Pi, P 2 , • • • , P k } be the fc-NN of M 
from the sliding window W r under the TGD distance. The 
"Degree of Following" (DoF) of a new arrival management 
frame M is then defined as 

DoF(M) = ^LllE^l3ll\p. e Nl 9d (M,W r ) (1) 

Dynamic Threshold Scaling (DTS) : We use threshold r to 
decide whether to accept a newly arrived frame M: the M is 
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considered to be legitimate iff DoF(M) < r. Recall that the 
premier goal of CSITE is to prevent FP error, the r should 
be adjusted adaptively to defend attacks even under highly 
dynamic environment. Based on a reasonable assumption that 
the DoF of a newly arrival legitimate MF M is highly probable 
to be similar to the DoFs of the recently accepted points. Thus 
in our system r is determined according to the latest DoFs. 
Let QbiyV r ) denote the most recently accepted 6-th point in 
the window W r . Instead of using simple mean or median, the 
r is set to z-th percentile of DoFs of recently accepted points, 
Meet al. 



r= Pi ({DoF(Q b (W r )) \ l<b< k}) 



(2) 



where Pi(S) denotes the ith percentile function. Although 
Eq. ^ requires k x L w calculation, it can be optimized by 
pre-caching the distance matrix between points Pi G W r and 

Pj G W r . 

Here the right selection of percentile i is vital for the system. 
When there is little channel dynamics, average DoFs of 
recently accepted frames could be very low. It may cause more 
FN error (reject the legitimate MF), thus slightly higher i is 
preferred. While there is intensive channel dynamics, average 
DoFs of recently accepted frames could be very high. In such 
case the DoF of a legitimate MF is not necessarily lower 
than the DoF of an attacking frame, thus lower i is preferred 
for security concerns. An negative correlation between i and 
Channel Stability is needed. 

In CSITE, we define the channel stability aw as the mean of 
the standard variance of the differences between two adjacent 
CSI points that 



a w = (std n (\Pj-P j+1 \)),ne [l,Dim(Pi)],j G [1,L W - 1] 

where std n stands for the standard variance for nth dimension 
of the CSI in window. We then define a effective negative 



correlation between i and aw as i\ 



aw/vy 



-, and 



w 



h if h G [5,95] 
5 if h < 5 
95 if i\ > 95 



(3) 



Here io is set to 75 as default, and a^ denotes the reference 
aw, which is measured during the CSITE initialization and 
it is adjusted to current aw when environment is "stable" (In 
such condition, the current aw is not changing for a time t a ). 

Based on the definition of DoF(M), r, and i, we design 
our source authentication algorithm as shown in Algorithm[T] 

D. MF transmission assurance system 

Due to the rapid spatial decorrelation and the negative 
correlation between i and aw, the CSITE filter is more likely 
to reject than to accept any suspicious frames. In dynamic 
environment, it is even harder to classify a MF into "trusted" 
due to the large noise. How to guarantee the delivery of 
legitimate MFs in any case is a big problem. 



Algorithm 1 Spoofing Frame Detection Algorithm 
Input: 

The CSI amplitude of a newly received frame Y; 

The encryption property of Y, 

attr en (Y) G {encrypted, unencrypted} 
Output: A security classification of Y, 

attr sec (Y) G {trusted, suspicious} 
l: for each new arrival frame Y do 
2: if attr en (Y) == encrypted then 
3: sliding window W r move forward to include Y 
4: attr sec (Y) = trusted 
5: else 

6: calculate the DoF(Y) according to eq[T] 
7: calculate the r according to eq|2] 
8: if DoF(Y) < r then 

9: sliding window W move forward to include Y 

10: attr sec (Y) = trusted 

ll: else 

12: attr sec (Y) = suspicious 



Despite rapid spatial decorrelation, wireless signal propaga- 
tion can be well modelled as an analogue continuous system. 
In this system when sampling rate f s — ^ oo, the differences 
between each sampling AD 0. It means when the frame 
rates is high enough, we can see very smoothed and slow- 
changing CSI amplitude surface under intensive channel dy- 
namics. Fig. [3] presents a proof-of-concept experiment. During 
the experiment, large files are transmitted in HT rate between 
fast-moving stations, Fig. [3ja) presents the temporal CSI data 
of a station. When we gradually zoom into the details specified 
by the black rectangle, we see very smooth surface just like 
in static environment. 

Based on this observations, we design a method called "CSI 
Resolution Enhancement" (CRE) to guarantee the delivery of 
MF. The core of CRE is that: if we transmit an unprotected MF 
M immediately after a group of high frequency "precursor" 
data frames, there will be smoothed amplitude surface in 
W r and receiver's CSITE filter will think it is in a static 
environment and accept the M by setting higher i. The sender 
repeats this procedure until the delivery succeed. 

Formally speaking, for each MF M we are about to transmit, 
we define a frame stream Sj = {Dq : D\, Di o ., M} with 
minimum transmission interval between frames, where Di are 
encrypted data frames. Sj is the j-th transmission procedure. 
We repeat this procedure until the frame M is successfully 
transmitted. 

Since the proportion of MF in normal communication is 
very small, we adopt a simple yet robust power-based scheme 
to guarantee the delivery. Suppose both sides keep the same 
k and Lw, the expected lj would be: 



lj = 2 j x (Zi + 1), j G (2, 3..., iV), lj < L w 



(4) 



This scheme simplifies the problem, and we only need to 
determine the initial value l\. An appropriate l\ will provide 
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Fig. 3. (a). Original view of CSI under highly dynamic environment, (b), (c), and (d) provide gradually zoomed views for the details circled by black box. 



highest "one-shot hit" (successfully deliver the MF by only 
one transmission) accuracy. In our system li is determined 
according to a linear relation is with respect to the percentile 

i as 



li=6(L w (l-—)),h>0 
75 



(5) 



where S(x) is the rounding function which picks the nearest 
normal number for x. 

Negative ACK encapsulated in Echo Request: There is a 
firmware-level limit: we have no control on the transmission 
of ACK frame. The firmware will emit the ACK frame no 
matter if the frame is rejected by the CSITE filter, therefore 
transmitter cannot determine if the delivery is successful. 

We adopt an ad hoc solution to inform the transmitter. 
Every time a frame does not pass the CSI filter, the receiver 
will immediately send a Negative-ACK to inform the sender. 
Such N-ACK is carried in a ICMP "ECHO REQUEST" frame 
whose echo content indicates the the failed frame type and 
sequence number, like "PROBE_REQUEST@42316". Since 
the frame is encrypted, only genuine transmitter can learn this 
N-ACK and start re-transmission as described above. However 
if such N-ACK emits for a spoofing attack, the genuine station 
will be aware of being forged and may trigger alarm. 

We mention again that this ad hoc solution exists only 
because we have no control on the ACK frames. 

IV. Prototype Evaluation and Analysis 

A. Prototype System Setup 

Our prototype system consists of 3 Lenovo laptops equipped 
with Intel 5300 NICs. Two of them form an AP-Client network 
with WPA2-AES PSK encryption. The other one acts as 
an attacker. Their drivers are all modified to enable them 
to transmit (or inject) management frames in HT rate in 
compliance to IEEE 802.1 In standard. 

B. Attacking Test Setting 

In order to fully evaluate the performance of CSITE filter 
and make comparison to RSS based detection, we designed test 
cases and applied them in 7 typical scenarios. The description 
of them are presented in Table [I] Scenarios A, B, and C test 
the performance when the client is stationary while channel 
dynamics are gradually increasing. D to F test the performance 
when client is moving with different speeds. G presents the 
final test that both client and attacker are moving. 

We run a test for each scenario and each test lasts for 5 
minutes. During the test, the AP and the client are continuously 



TABLE I 
Test Scenarios Description 



A 


Both the client and attacker are stationary in a controlled 
environment. 


B 


Same as A, but there is some channel dynamics caused 
by crowd flow. 


C 


The client is stationary, while the attacker is moving 
around. No crowd flow. 


D 


The client is moving, while the attacker is stationary, 
speed is normal. 


E 


The same as D, but moving speed is slow. 


F 


The same as D, but moving speed is fast. 


G 


Both the client and attacker are moving, speed normal. 
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Fig. 4. The CSI amplitude and RSS for the same received frames. The 
attacker periodically injects a group of attacking frames, and the Txpower is 
scanning from ldbm to 15dbm. In RSS view, a group of attacking frames are 
disappeared, while in CSI amplitude view they are clear. 



updating the CSI pattern in highest frequency, 800 fps in 
average, using the modified ping command. The client initiates 
20 Probe Requests to the AP every 0.3s, and the AP replies 
20 Probe Responses to the client immediately. Both Probe 
Request/Response are MFs and they formed the un-encrypted 
stream S rn . 

The attacker used aireplay-ng to inject 64 forged de- 
authentication frames to the client every 0.5s using the AP's 
MAC address. During the attack, the Txpower is scanned from 
ldbm to 15dbm in a loop. For the sake of convenience, we set 
a switch in the client to prevent the connection being really 
de-authenticated once the client wrongfully accepts the forged 
de-authentication frames. 

For each test case, we mainly focus on two error rates: FP 
error rate and FN error rate. Specifically, the FP error rate is the 
number of de- authentication frames which are considered to be 
sent from legitimate station over the totally received number of 
de-authentication frames. Similarly, the FN rate is the number 
of Probe Responses that are considered to be suspicious over 
the totally received number of Probe Responses. 



Scenarios 



Fig. 5. Error rates comparison between CSITE and RSS-based detection 
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Fig. 6. Impacts of update frequency on detection error rate. Both the FP and 
FN errors decrease when update frequency f s is increasing. In Scenarios A, 

B. and C, both the error rate quickly converge to 0, while for Scenarios D, 
E, F, G, higher frequency are needed to cut down the error rate. 

C. Compared to RSS-based Authentication 

Fig |4] presents a real sample in scenario A. The anomaly 
values periodically emerged in Figj4ja) and (b) denote the 
CSI and RSS of the attacking frames. Due to the Txpower 
scanning, the RSS of the injected frames happens to be 
identical to the RSS of normal frames at about 800th frames 
(which is circled in both the CSI and RSS view), and the RSS- 
based detection fails to detect this group of attacking frames. 
However, in the CSI view the amplitudes of these attacking 
frames are stable in about 30 db. 

To make a fair comparison between CSITE and RSS-based 
detection, we turn off the dynamic threshold scaling (DTS) 
function and set the default value for i = 75. Fig|5]presents the 
error comparison between CSITE and RSS-based detection in 
different scenarios. In stationary scenarios A, B, and C, CSITE 
achieves perfect FP error rate, while RSS-based detection 
yields an FP error rate about 6%. In motion scenarios, CSITE 
accepts about 2% attacking frames, while RSS-based detection 
accepts more than 17% attacking frames. It is about 8 times 
improvement made by CSITE over the RSS-based detection. 

D. Impacts of various parameters 

To identify the impacts of various parameters, we still turn 
off the DTS function and use default values k = 5, A = 1, 
L w = 40, i = 75 for the rest of evaluations if not specifically 
mentioned. 

I) Impact of update frequency f s : To test the impact of f S9 
we vary the sampling rate f s from 1Hz to 400Hz by uniformly 
dropping frames in the data stream. Fig [6] illustrates the FP and 
FN error rates in different scenarios when f s is increasing. 



(a) FP error rate (b) FN error rate 

Fig. 9. (a) and (b) show the FP and FN error rates when A is increasing. 
In stationary situation, the impact of A is little. A begins to take more effect 
when there is higher channel dynamics. 

In stationary scenarios, the FP and FN error rates drop to 
rapidly when f s is increasing. For motion scenarios, the 
FP error rate drops to about 5% when f s > 100Hz. When 
fs > 400i^z, the FP error rate is not higher than 3% even 
under most intensive dynamics in scenario G. 

However, we should mention that in normal communication 
the DTS function is turned on, the CSITE filter could reject al- 
most all attacking frames even when f s is very low, as verified 
by our results in Impact of Dynamic Threshold Scaling. 

2) Impact of the number of nearest neighbours k: Fig|7] 
shows the combined impact of k and f s on the error rate in 
scenarios A and G. Since r is partially determined by the 
time-gained distance of the latest accepted points, k and f s 
play an important role for deciding which points are taken into 
account. According to Fig|7Ja) and (b), higher k could reduce 
the error rate when in stationary situation. In motion scenarios, 
however, lower k is better. This is because higher k in this case 
will introduce more non-related CSI points, which become 
noises when determining the r. Based on the test conducted 
in all scenarios, we believe k = 5 is a suitable value for both 
the stationary and the motion scenarios. 

3) Impact of sliding-window length Lw: Fig[8] presents 
the combined effect of sliding-window length Lyy and k on 
scenarios A and G. In both the stationary and the motion 
situations, increasing Lyv is generally good for reducing error 
rate, but the marginal effect is reduced since the CSITE filter 
is tuned to choose the most recently accepted points. When 
Lyv > 40 + k, the benefit of increasing Lyy can be ignored in 
all scenarios, therefore we set Lyy = /c + 40 for both accuracy 
and efficiency. 

4) Impact of the time gain factor A: Fig(9] shows the 
impact of A. The contribution of A for stationary scenarios 
is little to decrease error rates. However, higher A introduces 
some visible improvements on reducing errors rates in highly 
dynamic scenarios. In Scenario G, we see approximately 5% 
FP error rate drop with nearly 2% FN error rate rise. 

5) Impacts of Dynamic Threshold Scaling: Apparently, 
lower threshold r determined by i rejects not only the at- 
tacking frames but also some legitimate frames which deviate 
from the trend center. However, a lower i is preferred since 
the premier goal of CSITE is to reject the attacking frames. 
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Fig. 7. The combined impacts of value k and update frequency f s in two scenarios A and G. (a) and (b) show the FP and FN error rates for Scenario A, 
and (c) (d) for G. 
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Fig. 



The combined effect of value k and sliding window length L w on error rate under two scenarios A and G. 
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(c) FP error rate (d) FN error rate 

Fig. 10. (a) shows the average window stability aw of 7 scenarios in different f s . (b) shows the percentile i according to a~w and Eq[3] (c) and (d) present 
the corresponding FP and FN error rates using the percentile i shown in (b). 



Recall the DTS function introduced in Section III, FigflOta) 
shows the average window variance aw for different scenarios 
and frequencies. FigfTffib) shows the dynamic percentile i 
calculated according to Eq.Q. The impact to the FP and FN 
error rate is shown in FigfTOfc) and (d). We see that the FP 
error rates quickly drops to in stationary scenarios. For the 
most dynamic scenario G, FP error rate drops to astonishingly 
5% when f s = 5Hz at a cost of near 50% FN error rate, 
and The FP and FN error rates drop to 1.53% and 18% when 
fs = 20Hz. 

E. Evaluation on ME transmission assurance system 

To fully evaluate the transmission of MF in different f s 
and scenarios, the data frames before the precursor frames are 
randomly dropped to simulate different f s , and the length of 
precursor frames L pre varies from to Lyv- 

Fig[TTJa) and (b) present the MF transmission success 
rate comparison with different amount of precursor frames 
in scenarios A and G. Since DTS function is turned on, 



many FP errors are generated when f s is low. However, with 
the help of precursor frames, we can see that even when 



f s = bHz, with the length L p 



L W9 90% and 78.5% 



one-shot success (Transsmission of M succeeds with only one 
transmission) rate can be achieved in scenarios A and G. When 
f 3 = 40Hz, 97.3% and 90.1% one-shot success rate can be 
achieved. FigJTTJc) presents the probability of transmission 
times required to delivery the M. There are more than 95% 
one-shot success rate in scenarios A and C, and in the most 
dynamic scenario G, 70% success rate is achieved in first two 
shots, while over 97% success rate can be done in three shots. 

V. Discussions 

Driver Enhancement: In Intel IWL5300 NIC driver, there 
are some codes dealing with rate control for different situa- 
tions. In our prototype, the rate control is modified to transmit 
the MFs using the same MCS rate of latest successful HT 
transmission. If it fails (no ACK reply), both precursor data 
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Fig. 11. (a) and (b) show in scenario A and G the success rate of MF with different amount of precursor frames, (c) shows the probability of how many 
transmissions (TXs) are required to successfully deliver the M in different scenarios. 



frames and MF will be transmitted in the lowest MCS value in 
the "BasicMCSSet" to ensure the success delivery. We mention 
again that these modification is permitted according to the 
"Multirate Support" in 802.1 In Specification |T3| Clause 9.6. 

Source authentication for control frame: Theoretically, if 
CSI value can be obtained for control frame, similar source 
authentication could be applied to control frames. However, 
it is currently impossible to achieve this goal, since the ACK 
feedback mechanism is hard-coded in firmware which is a 
binary file compiled from closed-source code. 

Vulnerability of M an- In-The -Middle Attack: Since CSITE 
detects spoofing MFs based on the CSI of encrypted data 
frames, if the data frames are replayed in physical layer, 
Man-In-The-Middle (MITM) attack may succeeded. To launch 
MITM, the attacker must be able to jam the paired stations 
and simultaneously tunnel their traffic through the attacker. 
To detect such attacks, user only need to open a virtual 
monitor interface. If these is the jamming, the overheard flows 
to different address will disappear simultaneously, which is 
impossible in normal situation. This mitigates the impact of 
MITM attack. However, we believe in most of attack scenarios, 
such kind of powerful attacker does not exist. 

VI. Conclusion 

Management frame, the basis for operating 802.11 net- 
work normally, is extremely vulnerable to attacks. Spoofing 
detection without cooperative information is unreliable using 
existing methods. Based on off-the-shelf hardware, we design 
CSITE, a Wi-Fi management frame source authentication 
system. It leverages the unique characteristics of CSI to verify 
the authenticity of MFs, and the detection is tuned to be highly 
strict to False Positive (FP) errors. To guarantee the successful 
delivery of MFs even under most intensive channel dynamics, 
we devise a method called CRE, which makes the MFs pass 
the detection with the help of precursor frames. Extensive eval- 
uations are conducted to verify the security ability, accuracy, 
and efficiency. These evaluations show excellent authentication 
ability and strong rejection against attacks. 

References 

[1] S. Boob and P. Jadhav, "Wireless intrusion detection system," Interna- 
tional Journal of Computer Applications IJCA, 2010. 



[2] J. Bellardo and S. Savage, "802.11 denial-of-service attacks: Real 
vulnerabilities and practical solutions," in USENIX Security, 2003. 

[3] H. Yang, J. Shu, X. Meng, and S. Lu, "Scan: self-organized network- 
layer security in mobile ad hoc networks," Selected Areas in Communi- 
cations, IEEE Journal on, 2006. 

[4] K. Pelechrinis, M. Iliofotou, and V. Krishnamurthy, "Denial of service 
attacks in wireless networks: The case of jammers," IEEE Communica- 
tions Surveys & Tutorials,, 2010. 

[5] W. Arbaugh, N. Shankar, Y. Wan, and K. Zhang, "Your 80211 wireless 
network has no clothes," IEEE Wireless Communications, 2002. 

[6] M. Ahmad and S. Tadakamadla, "Short paper: security evaluation of 
ieee 802.11 w specification," in ACM WiSec'll. 

[7] M. Eian and S. F.Mjolsnes, "A formal analysis of ieee 802. llw deadlock 
vulnerabilities," in IEEE INFOCOM'12. 

[8] Y. Sheng, K. Tan, and et al., "Detecting 802.1 1 mac layer spoofing using 
received signal strength," in IEEE INFOCOM'08. 

[9] P. Chumchu, T. Saelim, and C. Sriklauy, "A new mac address spoofing 
detection algorithm using plcp header," in IEEE ICOIN'll. 
[10] J. Yang, Y. Chen, W. Trappe, and J. Cheng, "Detection and localization 

of multiple spoofing attackers in wireless networks," 2012. 
[11] C. Bo and Z. e. a. Jiang, "Locating sensors in the forest: A case study 

in greenorbs," in IEEE INFOCOM'12. 
[12] W. Xi, Y. He, and et al., "Locating sensors in the wild: pursuit of ranging 

quality," in ACM Sensys'10. 
[13] IEEE 802.11 n Working Group and others, IEEE Standard 802.1 In. 
[14] C. Mitchell, "Security analysis and improvements for ieee 802.11 i," in 
(NDSS'05). 

[15] Y. Chen, W. Trappe, and R. Martin, "Detecting and localizing wireless 

spoofing attacks," in IEEE SECON'07. 
[16] F. Guo and T. Chiueh, "Sequence number-based mac address spoof 

detection," in Recent Advances in Intrusion Detection, 2006. 
[17] M. Barbeau, J. Hall, and E. Kranakis, "Detecting impersonation attacks 

in future wireless and mobile networks," IEEE SECON'06. 
[18] B. Danev, H. Luecken, S. Capkun, and K. El Defrawy, "Attacks on 

physical-layer identification," in ACM WiSec '06. 
[19] J. Yang, Y. Chen, W. Trappe, and J. Cheng, "Determining the number 

of attackers and localizing multiple adversaries in wireless spoofing 

attacks," in IEEE INFOCOM'09. 
[20] K. Zeng, K. Govindan, D. Wu, and P. Mohapatra, "Identity-based attack 

detection in mobile wireless networks," in IEEE INFOCOM'll. 
[21] N. Patwari and S. Kasera, "Robust location distinction using temporal 

link signatures," in ACM Mobicom '07. 
[22] J. Zhang, M. Firooz, N. Patwari, and S. Kasera, "Advancing wireless 

link signatures for location distinction," in ACM Mobicom '08. 
[23] K. Wu, J. Xiao, Y. Yi, M. Gao, and L. Ni, "Fila: Fine-grained indoor 

localization," in IEEE INFOCOM'12. 
[24] S. Sen, R. Choudhury, and S. Nelakuditi, "Spinloc: Spin once to know 

your location." 

[25] S. Sen, B. Radunovic, R. Choudhury, and T. Minka, "Spot localization 

using phy layer information," in ACM MobiSys'12. 
[26] Y. Liu and P. Ning, "Enhanced wireless channel authentication using 

time-synched link signature," in IEEE INFOCOM'12. 
[27] V. Hautamaki, I. Karkkainen, and P. Franti, "Outlier detection using 

k-nearest neighbour graph," in IEEE ICPR'04. 
[28] C. Aggarwal and P. Yu, "Outlier detection for high dimensional data," 

ACM Sigmod Record, 2001. 



